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" The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 
All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1308. 

1 . ^ This communication is responsive to 11/18/05 . 

2. S'The allowed claim(s) is/are 1-16 . 

3. D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 

a) □ All b) □ Some* c) □ None of the: 

1. □ Certified copies of the priority documents have been received. 

2. □ Certified copies of the priority documents have been received in Application No, . 

3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 1 7.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1 ) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ Including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to>37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 
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EXAMINER'S AMENDMENT 



1. An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

A nthnri ^ ^nt in n f n rthiT i ' .n iiiiii i ^ ' . ( iii n iii lmpnt V i ^n civpn in n tMpphnnr intmnow v . nth 
-S teven Grconborg on 2/17/06 : 



Authorization for a supplemental examiner's amendment was given in a telephone 
interview with Scott D. Paul on 6/26/06. 



1 . A method of preventing a flooding attack on a network^jefver in which a large 
number of requests are received for connection to a particyJ^ port number on the server, 
comprising: 

recognizing a particular host comjigt^ing to the port number on the server; 
calculating a number of cprinections to the port attributed to the host; 
determining, in re^Jonse to a request fi-om the host for a connection to the port, if the 
number of connecUdns to the port attributed to the host exceeds a prescribed threshold, and, if so, 
denvja^ the request for a connection. 
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5. Apparatus for preventing a ^ flooding at tack Oh a netWdrk servei' ill wliich 

number of requests are received for connection to a particular port number on the sep/€r, 
comprising: 

means for recognizing a particular host connecting to the port numj^er on the server; 
means for calculating a number of connections to the port attnmited to the host; 
means for determining, in response to a request from the host for a connection to the port, 
if the number of connections to the port attributed to the host^xceeds a prescribed threshold, and 
means responsive to the determining means for drying the request for a connection. 



9. A storage media containing program ^de segments for preventing a flooding attack 
on a network server in which a large numbejrof requests are received for connection to a 
particular port number on the server, comprising: 

a first code segment activat^ to recognize a particular host connecting to the port 
number on the server; 

a second code segni^t to calculate a number of connections to the port attributed to the 

host; 

a third code/^egment activated in response to a request from the host for a connection to 
the port for determining if the number of connections to the port attributed to the host exceeds a 
prescribe threshold, and 

a fourth code segment responsive to the third code segment for denying the request for a 
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10. The media of claim 9 in which the second co H^ gp^f>nt fm (Ium t pi i' !■■ 

a fifth code segment for overriding the denial and allowing the request if a quality of 
service parameter pertaining to the requesting host permits the override. 

1 1 . The media of claim 10 fiirther comprising a sixth code segmem for denying a 
connection request in any event if the number of available connectic^ to the port are less than a 
constrained threshold. ' X 

12. The media of claim 9 or claim 10 or cl£dm 1 1 fiirther comprising: 

a seventh code segment for calculating Ine prescribed threshold by multiplying a 
percentage P by the number of available cjemections remaining for the port. 

13. A carrier wave corij2miing program code segments for preventing a flooding attack 
on a network server in whk^n a large number of requests are received for cormection to a port 
number on the servej?^omprising: 

a first cpue segment activated to recognize a particular host connecting to the port 
number opnhe server; 

a second code segment to calculate a number of connections to the port attributed to the 
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^ T third rnHft cejrmer^i artivfltpfl ir | ff^po p se to a re q uf ^ st fro^ ^^^^ ^^^ - ^ nnnnnntjnn — ' 

the port for determining if the number of connections to the port attributed to the host exceedg^ 
prescribed threshold, and / 

a fourth code segment responsive to the third code segment for denying the/request for a 
connection. / 

14. The carrier wave of claim 13 in v^hich the second code^gment further comprises: 
a fifth code segment for overriding the denial and allowing the request if a quality of 

service parameter pertaining to the requesting host permfts the override. 

15. The carrier wave of claim 14 fopdier comprising a sixth code segment for denying a 
connection request in any event if thp^umber of available connections to the port are less than a 
constrained threshold. 

16. The^rrier wave of claim 13 or claim 14 or claim 15 further comprising: 
^^^seventh code segment for calculating the prescribed threshold by multiplying a 

jiercefitage^i^y xhe number of available connecti ons leiiiaiim i g for the port. " — ^ 



Amendment of Specification 



On page 4 of the specification on the last paragraph, please omit the sentence 
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The last paragraph of page 4 should be amended as follows: 
A similar technique can be applied to connectionless 
traffic, such as UDP datagrams. This is th e subj e ct matt e r 
of pat e nt application numb e r 

Reasons for Allowance 

Ud CO 

— In Applitaiil 's mdepen denl clalilis lecitc thc 4ixniMLon, 



• "Recognizing a particular host connecting to the port number on the serv^p^ 

Previously, the Examiner rejected the independent claimsjLtsmg Schuba, US patent, 6725378. 

Schuba (Column 4, lines 53-67) detecJs^T a particular maximum number of connections have 
been reached per port. If it i^^d^termined that the maximum number of connections on that port 
has been reached, Schliba will discard all further connections per port. 



SchHba however fails to disclose a particular recognition of the connections coming about from a 
^siagiil ar h o st Tnstpn d > Schuba porformti a blaiikei opei 'a llon Wheife all fUilliei ' coimtLliuns lu Ihc 
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jlprt nrp-TrmpH ntt rnrhpr rnm i tlriiyitiv Hn-nr^finnnt for n ron nection to th e port from an attrihutec 
and "recognized" host. 



A rejection based on Pars Mutaf "Defending against a Denial of Service Attac^/mi TCP" was 
also previously made. 

Mutaf, page 6, discloses a detection of an attack where if the numjg^er of received SYN segments 
per second by a given TCP port exceeds a maximum or presc^ed threshold, the network 
monitor is to consider the event an attack. 

Mutaf additionally fails to recite an explicit "recognition" of the attack arising from an identified 
host, and only identifies the attack based on^e threshold of the port, rather than the two aspect 
analysis of recognizing the host and det^mining if the number of connections exceeds a 
threshold. 

Mutaf and Schuba have been/dentified as the Examiner as the closest art of record, both of them 
deficient on the limitation of "Recognizing a particular host connecting to the port number on the 
server". Indeed, th&^act that Schuba and Mutaf suffer from the same deficiency appears to speak 
of a en explicit/^d reasonably well identified boundary on the current state of the art regarding 
"Denial o/Service" identification and flooding attack protection. 



?6r this reasoiL 



Tiner has withdrawn all rejections, and has allowed the pending claims. 
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Conclusion 

3. Any inquiry concerning this communication from the examiner should be directed to 
Thomas M Ho whose telephone number is (703)305-8029. The examiner can normally be 
reached on M-F from 8:30 AM - 5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
(Sfegftry A. MOKgcan be reached on-;p^3^^^Sd-. The fax phone numbers for the 

» 

organization where this application or proceeding is assigned arc ^pQl 3Q^f or regular 
communications and;j^3)W'6-7S*&^ur After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding should 
be directed to the receptionist whose telephone number is ^JQ3)306 - 5184 ,--—. 



TMH 



February 18^ 2006 



